Privacy Policy
Last updated: 2026-06-07
This Privacy Policy explains how Apex Performance Marketing, Inc. ("we," "us," "our") collects, uses, discloses, and protects personal information when you use the Apex Investment Analyzer application (the "Service"). It also describes the privacy rights of California residents.
1. Information we collect
| Category | Examples | Source |
|---|---|---|
| Account identifiers | Username, email address | You, at sign-up |
| Authentication data | Password (stored only as an Argon2id hash), two-factor (TOTP) secret (stored encrypted) | You |
| Financial information (sensitive) | Investment holdings, account balances, investment transactions, institution names | Your financial institutions, via Plaid, with your authorization |
| Usage content | Your chat messages and the analysis generated in response | You / the Service |
| Consent records | The consent text, version, and timestamp you agreed to | You |
| Technical data | IP address, basic request logs | Automatically |
Financial-account and authentication information is treated as Sensitive Personal Information under California law.
2. How we use your information
- To authenticate you and secure your account (password, 2FA, sessions).
- To retrieve and display your financial data and generate educational analysis at your request.
- To send transactional emails (verification, password reset).
- To maintain security, prevent fraud and abuse, and comply with legal obligations.
We use your information only for the purposes described here. We do not use your financial data for advertising or to train third-party AI models for unrelated purposes.
3. How we disclose information
We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We disclose information only to the service providers needed to operate the Service, under contracts that limit their use of the data:
- Plaid — connects to your financial institutions. See Plaid's End User Privacy Policy.
- Anthropic — provides the AI model that generates analysis from your data.
- Amazon Web Services (SES) — sends transactional email; our database/hosting provider stores your data.
We may also disclose information if required by law, to enforce our Terms, or to protect the rights, safety, and security of users and the public.
4. How we protect your information
- Passwords are hashed with Argon2id; we never store them in plain text.
- Plaid access tokens and 2FA secrets are encrypted at rest.
- All data in transit is encrypted with TLS 1.2+.
- Access requires a password and mandatory two-factor authentication.
- Each user's data is isolated and accessible only to that user.
No method of transmission or storage is completely secure; we cannot guarantee absolute security.
5. Data retention and deletion
We retain your account and financial data only while your account is active and
your institutions remain connected. Financial holdings/transactions are fetched on
demand and are not cached beyond a request. You may permanently delete all stored
data at any time using "Disconnect & delete my data" in the app,
which also instructs Plaid to remove the associated items via its
/item/remove endpoint. We review our retention practices periodically.
6. Your California privacy rights (CCPA/CPRA)
If you are a California resident, you have the right to:
- Know / access the personal information we have collected about you.
- Delete your personal information (subject to legal exceptions).
- Correct inaccurate personal information.
- Limit the use of your Sensitive Personal Information to what is necessary to provide the Service (we already limit it to that).
- Opt out of sale/sharing — not applicable, because we do not sell or share your personal information.
- Non-discrimination for exercising your rights.
To exercise these rights, contact privacy@apexcalifornia.com. We will verify your request using your account credentials before acting on it. You may use an authorized agent to submit a request on your behalf.
7. Gramm-Leach-Bliley Act (GLBA) notice
To the extent the Service is treated as a financial institution under the GLBA, this Policy serves as our privacy notice: we collect nonpublic personal financial information as described above, use it only to provide the Service, do not sell it, and disclose it only to service providers as permitted by law. We maintain administrative, technical, and physical safeguards designed to protect it.
8. Consent
We record your explicit, versioned consent before connecting any financial institution. You may withdraw consent at any time by deleting your data, after which we will no longer access your financial accounts.
9. Children's privacy
The Service is not directed to anyone under 18, and we do not knowingly collect personal information from children.
10. Changes to this Policy
We may update this Policy from time to time. Material changes will be reflected by updating the "Last updated" date above.
11. Contact
Privacy questions or requests:
privacy@apexcalifornia.com.
Security issues: security@apexcalifornia.com.